documentation/9.3.28.v20191105/setting-port80-access.html - www.eclipse.org/jetty - Git at Google

 <html><head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <title>Setting Port 80 Access for a Non-Root User</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty"><link rel="up" href="configuring-connectors.html" title="Chapter&nbsp;6.&nbsp;Configuring Jetty Connectors"><link rel="prev" href="configuring-ssl.html" title="Configuring SSL/TLS"><link rel="next" href="configuring-security.html" title="Chapter&nbsp;7.&nbsp;Configuring Security"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><link rel="stylesheet" href="css/highlighter/foundation.css"><script src="js/highlight.pack.js"></script><script>
       hljs.initHighlightingOnLoad();
     </script><link type="text/css" rel="stylesheet" href="css/font-awesome/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
             Version: 9.3.28.v20191105</span></td><td style="width: 50%"></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Setting Port 80 Access for a Non-Root User</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a>&nbsp;</td><th width="60%" align="center">Chapter&nbsp;6.&nbsp;Configuring Jetty Connectors<br><a accesskey="p" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></th><td width="20%" align="right">&nbsp;<a accesskey="n" href="configuring-security.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
           <span class="website">www.webtide.com</span></a></h5><p>
  private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
  scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development
       </p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="setting-port80-access"></a>Setting Port 80 Access for a Non-Root User</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="section"><a href="setting-port80-access.html#using-ipchains">Using ipchains</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-iptables">Using iptables</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#configuring-jetty-setuid-feature">Configuring Jetty&#8217;s SetUID Feature</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-solaris10-user-rights-management-framework">Using the Solaris 10 User Rights Management Framework</a></span></dt></dl></div><p>On Unix-based systems, port 80 is protected; typically only the superuser <code class="literal">root</code> can open it. For security reasons, it is not desirable to run the server as <code class="literal">root</code>.
 This page presents several options to access port 80 as a non-root user, including using <code class="literal">ipchains</code>, <code class="literal">iptables</code>, Jetty&#8217;s SetUID feature, <code class="literal">xinetd</code>, and the Solaris 10 User Rights Management Framework.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-ipchains"></a>Using ipchains</h3></div></div></div><p>On some Linux systems you can use the <span class="emphasis"><em>ipchains REDIRECT</em></span> mechanism to redirect from one port to another inside the kernel (if <code class="literal">ipchains</code> is not available, then <code class="literal">iptables</code> usually is):</p><div class="screenexample"><pre class="screen"># /sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080</pre></div><p>This command instructs the system as follows: "Insert into the kernel&#8217;s packet filtering the following as the first rule to check on incoming packets: if the protocol is TCP and the destination port is 80, redirect the packet to port 8080".
 Be aware that your kernel must be compiled with support for <code class="literal">ipchains</code> (virtually all stock kernels are).
 You must also have the <code class="literal">ipchains</code> command-line utility installed.
 You can run this command at any time, preferably just once, since it inserts another copy of the rule every time you run it.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-iptables"></a>Using iptables</h3></div></div></div><p>On many Linux systems you can use the <code class="literal">iptables</code> REDIRECT mechanism to redirect from one port to another inside the kernel (if <code class="literal">iptables</code> is not available, then usually <code class="literal">ipchains</code> is).</p><p>You need to add something like the following to the startup scripts or your firewall rules:</p><div class="screenexample"><pre class="screen"># /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080</pre></div><p>The underlying model of <code class="literal">iptables</code> is different from <code class="literal">ipchains</code>, so the forwarding normally happens only to packets originating outside of the server itself.
 You also need to allow incoming packets to port 8080 if you use <code class="literal">iptables</code> as a local firewall.</p><p>Be careful to place rules like this one early in your <span class="emphasis"><em>input</em></span> chain.
 Such rules must precede any rule that accepts the packet, otherwise the redirection won&#8217;t occur.
 You can insert as many rules as required if your server needs to listen on multiple ports, as for HTTPS.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="configuring-jetty-setuid-feature"></a>Configuring Jetty&#8217;s SetUID Feature</h3></div></div></div><p><a class="link" href="http://en.wikipedia.org/wiki/Setuid" target="_top">SetUID</a> is a technique that uses Unix-like file system access rights to allow users to run an executable that would otherwise require higher privileges.</p><p>Jetty&#8217;s <code class="literal">SetUID</code> module allows you to run Jetty as a normal user even when you need to run Jetty on port 80 or 443.</p><p>To use it with the Jetty distribution:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Ensure that you have the <code class="literal">http.mod</code> (and <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS &amp; HTTP2">https.mod</a> if you are using SSL) <a class="link" href="startup-modules.html" title="Managing Startup Modules">modules enabled</a> for the <a class="link" href="quickstart-running-jetty.html#creating-jetty-base" title="Creating a new Jetty Base">base</a> you are using.
 The <code class="literal">http.mod</code> is enabled by default in the distribution, while the <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS &amp; HTTP2">https.mod</a> is only enabled in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a> directory.</li><li class="listitem">Ensure that you have <a class="link" href="quickstart-running-jetty.html#quickstart-changing-jetty-port" title="Changing the Jetty Port">changed the http port</a> to 80 (and <a class="link" href="quickstart-running-jetty.html#quickstart-changing-https-port" title="Changing the Jetty HTTPS Port">changed the https port</a> to 443 if you are using SSL).</li><li class="listitem"><p class="simpara">Enable the <code class="literal">setuid.mod</code> module:</p><div class="screenexample"><pre class="screen"># java -jar start.jar --add-to-start=setuid</pre></div><div class="blockquote"><blockquote class="blockquote"><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="fa fa-asterisk" aria-hidden="true"></i> Note</h3><p>The --add-to-start command will enable the setuid module for this and all subsequent executions of jetty.
 There are other ways to enable the module, such as for a single execution.
 For more information on the alternatives see the section on <a class="link" href="startup-modules.html" title="Managing Startup Modules">Managing Startup Modules</a>.</p></div></blockquote></div></li><li class="listitem"><p class="simpara">Edit the configuration for the <code class="literal">setuid</code> module to substitute the <code class="literal">userid</code> and <code class="literal">groupid</code> of the user to switch to after starting.
 If you used the <code class="literal">--add-to-start</code> command, this configuration is in the <code class="literal">start.ini</code> file.
 If you used the <code class="literal">--add-to-startd</code> command instead, this configuration is in the <code class="literal">start.d/setuid.ini</code> file instead.</p><pre class="literallayout">Below are the lines to configure:</pre><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>jetty.startServerAsPrivileged=false
 jetty.username=foo
 jetty.groupname=bar
 jetty.umask=002</code></pre><div class="blockquote"><blockquote class="blockquote"><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="fa fa-asterisk" aria-hidden="true"></i> Note</h3><p>As well as opening the connectors as <code class="literal">root</code>, you can also have Jetty start the Server as <code class="literal">root</code> before changing to the non-<code class="literal">root</code> user.</p></div></blockquote></div></li><li class="listitem"><p class="simpara">A native code library is required to perform user switching.
 This code is hosted as part of the Jetty ToolChain project and is released independently from Jetty itself.
 You can find the source code <a class="link" href="https://github.com/eclipsejetty.toolchain" target="_top">here</a> in the <a class="link" href="https://github.com/eclipse/jetty.toolchain/jetty-setuid" target="_top">jetty-setuid</a> project.
 Build it locally, which will produce a native library appropriate for the operating system:</p><div class="screenexample"><pre class="screen"># mvn clean install</pre></div><p class="simpara">If you built on a linux machine you will find the native library in <code class="literal">jetty-setuid/libsetuid-linux/target/libsetuid-linux.so</code>.
 If you built on a different operating system you will find the library in a different subdirectory, with the name containing the name of the operating system.
 You may want copy this file into your Jetty distribution&#8217;s lib directory.</p></li><li class="listitem"><p class="simpara">Start Jetty as the <code class="literal">root</code> user in your base directory, providing the location of the native library to Java.
 Below is an example of how to do it from the command line, assuming you are in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a> directory:</p><div class="screenexample"><pre class="screen"># sudo java -Djava.library.path=libsetuid-linux -jar $JETTY_HOME/start.jar</pre></div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-solaris10-user-rights-management-framework"></a>Using the Solaris 10 User Rights Management Framework</h3></div></div></div><p>Solaris 10 provides a User Rights Management framework that can permit users and processes superuser-like abilities:</p><div class="screenexample"><pre class="screen">usermod -K defaultpriv=basic,net_privaddr myself</pre></div><p>Now the <code class="literal">myself</code> user can bind to port 80.</p><p>Refer to the <a class="link" href="http://docs.oracle.com/cd/E23823_01/html/816-4557/prbactm-1.html#scrolltoc" target="_top">Solaris 10</a> and <a class="link" href="http://docs.oracle.com/cd/E23824_01/html/821-1456/prbactm-1.html#scrolltoc" target="_top">Solaris 11 Security Services documentation</a> for more information.</p></div></div><script type="text/javascript">
       SyntaxHighlighter.all()
     </script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a>&nbsp;</td><td width="20%" align="center"><a accesskey="u" href="configuring-connectors.html"><i class="fa fa-chevron-up" aria-hidden="true"></i> Top</a></td><td width="40%" align="right">&nbsp;<a accesskey="n" href="configuring-security.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Configuring SSL/TLS&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></td><td width="40%" align="right" valign="top">&nbsp;Chapter&nbsp;7.&nbsp;Configuring Security</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
             See an error or something missing?
             <span class="callout"><a href="http://github.com/eclipse/jetty.project">Contribute to this documentation at
                 <span class="website"><i class="fa fa-github" aria-hidden="true"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2019-11-05)</i></span></div></p></body></html>
	<html><head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
	<title>Setting Port 80 Access for a Non-Root User</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty"><link rel="up" href="configuring-connectors.html" title="Chapter 6. Configuring Jetty Connectors"><link rel="prev" href="configuring-ssl.html" title="Configuring SSL/TLS"><link rel="next" href="configuring-security.html" title="Chapter 7. Configuring Security"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><link rel="stylesheet" href="css/highlighter/foundation.css"><script src="js/highlight.pack.js"></script><script>
	hljs.initHighlightingOnLoad();
	</script><link type="text/css" rel="stylesheet" href="css/font-awesome/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
	Version: 9.3.28.v20191105</span></td><td style="width: 50%"></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Setting Port 80 Access for a Non-Root User</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><th width="60%" align="center">Chapter 6. Configuring Jetty Connectors<br><a accesskey="p" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></th><td width="20%" align="right"> <a accesskey="n" href="configuring-security.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
	<span class="website">www.webtide.com</span></a></h5><p>
	private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
	scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development
	</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="setting-port80-access"></a>Setting Port 80 Access for a Non-Root User</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="section"><a href="setting-port80-access.html#using-ipchains">Using ipchains</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-iptables">Using iptables</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#configuring-jetty-setuid-feature">Configuring Jetty’s SetUID Feature</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-solaris10-user-rights-management-framework">Using the Solaris 10 User Rights Management Framework</a></span></dt></dl></div><p>On Unix-based systems, port 80 is protected; typically only the superuser <code class="literal">root</code> can open it. For security reasons, it is not desirable to run the server as <code class="literal">root</code>.
	This page presents several options to access port 80 as a non-root user, including using <code class="literal">ipchains</code>, <code class="literal">iptables</code>, Jetty’s SetUID feature, <code class="literal">xinetd</code>, and the Solaris 10 User Rights Management Framework.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-ipchains"></a>Using ipchains</h3></div></div></div><p>On some Linux systems you can use the <span class="emphasis"><em>ipchains REDIRECT</em></span> mechanism to redirect from one port to another inside the kernel (if <code class="literal">ipchains</code> is not available, then <code class="literal">iptables</code> usually is):</p><div class="screenexample"><pre class="screen"># /sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080</pre></div><p>This command instructs the system as follows: "Insert into the kernel’s packet filtering the following as the first rule to check on incoming packets: if the protocol is TCP and the destination port is 80, redirect the packet to port 8080".
	Be aware that your kernel must be compiled with support for <code class="literal">ipchains</code> (virtually all stock kernels are).
	You must also have the <code class="literal">ipchains</code> command-line utility installed.
	You can run this command at any time, preferably just once, since it inserts another copy of the rule every time you run it.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-iptables"></a>Using iptables</h3></div></div></div><p>On many Linux systems you can use the <code class="literal">iptables</code> REDIRECT mechanism to redirect from one port to another inside the kernel (if <code class="literal">iptables</code> is not available, then usually <code class="literal">ipchains</code> is).</p><p>You need to add something like the following to the startup scripts or your firewall rules:</p><div class="screenexample"><pre class="screen"># /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080</pre></div><p>The underlying model of <code class="literal">iptables</code> is different from <code class="literal">ipchains</code>, so the forwarding normally happens only to packets originating outside of the server itself.
	You also need to allow incoming packets to port 8080 if you use <code class="literal">iptables</code> as a local firewall.</p><p>Be careful to place rules like this one early in your <span class="emphasis"><em>input</em></span> chain.
	Such rules must precede any rule that accepts the packet, otherwise the redirection won’t occur.
	You can insert as many rules as required if your server needs to listen on multiple ports, as for HTTPS.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="configuring-jetty-setuid-feature"></a>Configuring Jetty’s SetUID Feature</h3></div></div></div><p><a class="link" href="http://en.wikipedia.org/wiki/Setuid" target="_top">SetUID</a> is a technique that uses Unix-like file system access rights to allow users to run an executable that would otherwise require higher privileges.</p><p>Jetty’s <code class="literal">SetUID</code> module allows you to run Jetty as a normal user even when you need to run Jetty on port 80 or 443.</p><p>To use it with the Jetty distribution:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Ensure that you have the <code class="literal">http.mod</code> (and <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS & HTTP2">https.mod</a> if you are using SSL) <a class="link" href="startup-modules.html" title="Managing Startup Modules">modules enabled</a> for the <a class="link" href="quickstart-running-jetty.html#creating-jetty-base" title="Creating a new Jetty Base">base</a> you are using.
	The <code class="literal">http.mod</code> is enabled by default in the distribution, while the <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS & HTTP2">https.mod</a> is only enabled in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a> directory.</li><li class="listitem">Ensure that you have <a class="link" href="quickstart-running-jetty.html#quickstart-changing-jetty-port" title="Changing the Jetty Port">changed the http port</a> to 80 (and <a class="link" href="quickstart-running-jetty.html#quickstart-changing-https-port" title="Changing the Jetty HTTPS Port">changed the https port</a> to 443 if you are using SSL).</li><li class="listitem"><p class="simpara">Enable the <code class="literal">setuid.mod</code> module:</p><div class="screenexample"><pre class="screen"># java -jar start.jar --add-to-start=setuid</pre></div><div class="blockquote"><blockquote class="blockquote"><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="fa fa-asterisk" aria-hidden="true"></i> Note</h3><p>The --add-to-start command will enable the setuid module for this and all subsequent executions of jetty.
	There are other ways to enable the module, such as for a single execution.
	For more information on the alternatives see the section on <a class="link" href="startup-modules.html" title="Managing Startup Modules">Managing Startup Modules</a>.</p></div></blockquote></div></li><li class="listitem"><p class="simpara">Edit the configuration for the <code class="literal">setuid</code> module to substitute the <code class="literal">userid</code> and <code class="literal">groupid</code> of the user to switch to after starting.
	If you used the <code class="literal">--add-to-start</code> command, this configuration is in the <code class="literal">start.ini</code> file.
	If you used the <code class="literal">--add-to-startd</code> command instead, this configuration is in the <code class="literal">start.d/setuid.ini</code> file instead.</p><pre class="literallayout">Below are the lines to configure:</pre><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>jetty.startServerAsPrivileged=false
	jetty.username=foo
	jetty.groupname=bar
	jetty.umask=002</code></pre><div class="blockquote"><blockquote class="blockquote"><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="fa fa-asterisk" aria-hidden="true"></i> Note</h3><p>As well as opening the connectors as <code class="literal">root</code>, you can also have Jetty start the Server as <code class="literal">root</code> before changing to the non-<code class="literal">root</code> user.</p></div></blockquote></div></li><li class="listitem"><p class="simpara">A native code library is required to perform user switching.
	This code is hosted as part of the Jetty ToolChain project and is released independently from Jetty itself.
	You can find the source code <a class="link" href="https://github.com/eclipsejetty.toolchain" target="_top">here</a> in the <a class="link" href="https://github.com/eclipse/jetty.toolchain/jetty-setuid" target="_top">jetty-setuid</a> project.
	Build it locally, which will produce a native library appropriate for the operating system:</p><div class="screenexample"><pre class="screen"># mvn clean install</pre></div><p class="simpara">If you built on a linux machine you will find the native library in <code class="literal">jetty-setuid/libsetuid-linux/target/libsetuid-linux.so</code>.
	If you built on a different operating system you will find the library in a different subdirectory, with the name containing the name of the operating system.
	You may want copy this file into your Jetty distribution’s lib directory.</p></li><li class="listitem"><p class="simpara">Start Jetty as the <code class="literal">root</code> user in your base directory, providing the location of the native library to Java.
	Below is an example of how to do it from the command line, assuming you are in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a> directory:</p><div class="screenexample"><pre class="screen"># sudo java -Djava.library.path=libsetuid-linux -jar $JETTY_HOME/start.jar</pre></div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-solaris10-user-rights-management-framework"></a>Using the Solaris 10 User Rights Management Framework</h3></div></div></div><p>Solaris 10 provides a User Rights Management framework that can permit users and processes superuser-like abilities:</p><div class="screenexample"><pre class="screen">usermod -K defaultpriv=basic,net_privaddr myself</pre></div><p>Now the <code class="literal">myself</code> user can bind to port 80.</p><p>Refer to the <a class="link" href="http://docs.oracle.com/cd/E23823_01/html/816-4557/prbactm-1.html#scrolltoc" target="_top">Solaris 10</a> and <a class="link" href="http://docs.oracle.com/cd/E23824_01/html/821-1456/prbactm-1.html#scrolltoc" target="_top">Solaris 11 Security Services documentation</a> for more information.</p></div></div><script type="text/javascript">
	SyntaxHighlighter.all()
	</script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><td width="20%" align="center"><a accesskey="u" href="configuring-connectors.html"><i class="fa fa-chevron-up" aria-hidden="true"></i> Top</a></td><td width="40%" align="right"> <a accesskey="n" href="configuring-security.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Configuring SSL/TLS </td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Configuring Security</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
	See an error or something missing?
	<span class="callout"><a href="http://github.com/eclipse/jetty.project">Contribute to this documentation at
	<span class="website"><i class="fa fa-github" aria-hidden="true"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2019-11-05)</i></span></div></p></body></html>